The growing sophistication of cybercriminals is prompting CISOs to devote ever more attention to protecting their firms’ systems from attack. But security experts fear that, in doing so, they may risk overlooking a growing number of internal threats to data security.
According to research conducted by IT security company Imperva in 2021, “58% of incidents that negatively impact sensitive data are caused by insider threats”. Of these incidents, 61% can be attributed at least partly to abuse or malicious intent, rather than innocent human error.
The study also found that 60% of IT and data security professionals across EMEA prioritise combating external infiltration over addressing internal threats, while 72% of organisations lack any strategy to deal with insider risks.
I’d argue that psychology is what pushes people over the edge to create an insider threat
The three main reasons they cited for this laissez-faire approach were a shortage of funds, a lack of expertise and the belief that employees do not constitute a “substantial threat” to data security. But, given that the cost of insider criminality can run into millions of pounds, experts agree that firms generally need to manage this risk more proactively.
Manoj Reddy, security researcher at the Trellix Advanced Research Centre, reports that 70% of insider attacks are never disclosed by the organisations targeted, adding: “Based on recent industry analysis, insider threats have increased by 47% over the past two years. This threat undermines the confidentiality, integrity and availability of the organisation, while aiding adversaries in gathering intelligence, carrying out sabotage and using subterfuge to achieve their nefarious objectives.”
Analysts suggest that the cost-of-living crisis is driving more employees to copy sensitive corporate data and sell their companies’ intellectual property to rival firms. Other cases involve the extraction of funds from client accounts. Beyond fraud, there are also destructive acts by disgruntled employees on their way out.
“The rapidly growing nature of insider threats presents a formidable challenge,” Reddy says. “Organisations must prioritise security measures to retain stakeholder confidence. It is essential for them to identify, evaluate and manage such risks.”
Eroding corporate security controls
Not all insider threats have malicious intent behind them, of course. It’s often a case of employees simply ignoring their IT team’s policies for their own convenience. For instance, research by cybersecurity company Armis suggests that employees in more than two-thirds of UK firms are putting their businesses at risk by downloading non-approved software from the internet to their work devices without clearance from their IT teams.
Dr Igor Baikalov, chief scientist at cybersecurity firm Semperis and a former senior vice-president of global information security at Bank of America, suggests that the fact that remote working has become far more common could be “further eroding corporate security controls and supervision”.
He believes that the insider security threat is being exacerbated by the increasing complexity of enterprise systems and the pressure on businesses to adopt new and often poorly understood technologies.
Baikalov adds that the abuse of system access privileges by employees “is a common element in insider attacks. Organisations need to implement a comprehensive identity threat detection and response solution that can prioritise and remediate vulnerabilities and misconfigurations in ID systems comprising several identity providers.”
One key method of tackling insider risks is to apply the zero-trust security model, which grants employees what’s known as least-privilege access. This is when system users are given just enough access to enable them to complete the tasks they’ve been assigned.
“This significantly reduces the attack surface and limits your potential exposure,” says Lewis Duke, threat intelligence lead at cybersecurity software developer Trend Micro. “The model challenges the traditional notion of a trusted network, recognising that any user or device could be compromised.”
A weak link can become a defence
Helen Davenport, a partner specialising in data protection and cybersecurity matters at law firm Gowling WLG, believes that senior executives need to make board engagement and governance key facets of managing insider risk.
“The risk applies to businesses of any size, especially in the current economic climate,” she warns. “It’s therefore necessary to properly consider the cost-benefit aspects of all steps that can be taken to ensure a proportionate approach.”
Duke also has advice for the C-suite. He argues that referring to system users as the “weakest link” could do more harm than good. A more constructive approach would be to provide more effective security training for employees and ensure that they are empowered to report any suspicious activity they might observe.
“Insider attacks are manageable,” he stresses. “A proactive, user-centric approach to cybersecurity can effectively mitigate such risks and create a more secure digital environment. Armed with the right knowledge and tools, users can become valuable assets in the fight against insider threats, effectively turning the ‘weakest link’ into a strong line of defence.”
The monitoring of employees is a particularly sensitive aspect of managing insider threats. Companies considering surveillance as an option should think carefully about its potential ramifications. That’s the view of Ian Thornton-Trump, CISO at threat intelligence company Cyjax. He notes that monitoring can be a difficult measure to introduce, not only because of the legal implications but also because of the negative psychological effects it could have on those under observation.
While he believes that government bodies or firms operating in particularly sensitive fields may have a genuine case for using surveillance, Thornton-Trump warns: “Insisting on monitoring without the right reasons is going to damage morale, trust and loyalty.”
He offers a piece of advice that firms should not overlook in their eagerness to use tech to combat insider threats.
“I’d argue that psychology is what pushes people over the edge to create an insider threat,” Thornton-Trump says. “Treating your employees well goes a long way towards preventing them from getting disgruntled and contemplating malicious behaviour. A happy employee is less likely to become a turncoat.”
